Abstract

Verifiably encrypted signatures were introduced by Boneh,
Gentry, Lynn, and Shacham in 2003, as a non-interactive analogue
to interactive protocols for verifiable encryption of
signatures. As their name suggests, verifiably encrypted
signatures were intended to capture a notion of encryption, and
constructions in the literature use public-key encryption as a
building block.

In this paper, we show that previous definitions for verifiably
encrypted signatures do not capture the intuition that
encryption is necessary, by presenting a generic construction of
verifiably encrypted signatures from any signature scheme. We
then argue that signatures extracted by the arbiter from a
verifiably encrypted signature object should be distributed
identically to ordinary signatures produced by the original
signer, a property that we call resolution independence. Our
generic construction of verifiably encrypted signatures does not
satisfy resolution independence, whereas all previous
constructions do. Finally, we introduce a stronger but less
general version of resolution independence, which we call
resolution duplication. We show that verifiably encrypted
signatures that satisfy resolution duplication generically imply
public-key encryption.